Buffer Overflows in PHP Forms and mod_ssl

03/04/2002

Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at a remote exploit
against PHP; buffer overflows in mod_ssl, Apache-SSL, Chinput, the
Cryptographic File System daemon, and xtell; and problems in Oracle,
netfilter's IRC DCC connection module, BRU, User Mode Linux, Xoops,
KICQ, SphereServer, and Open UNIX's and UnixWare's webtop.

The PHP functions that deal with multipart/form-data POST requests
have buffer overflows that can be used by a remote attacker to execute
arbitrary code with the permissions of the user executing PHP.
Versions 3.x and 4.x of PHP are reported to be
vulnerable. The 4.20-dev branch of the PHP code available by CVS is
not vulnerable.

It is recommended that users upgrade to version 4.1.2 or newer of PHP
as soon as possible. A possible work around for this problem is to
edit the php.ini file and set file_uploads to off.

mod_ssl, a module that provides SSL (Secure Socket Layer) for the
Apache Web server, has a buffer overflow, in the session-caching code
that uses dbm and shared memory, that may be exploitable using a large
client certification.

Apache-SSL is also vulnerable to this buffer overflow. All versions
of Apache-SSL prior to version 1.3.22+1.46 are reported to be
vulnerable.

Users should upgrade mod_ssl to version 2.8.7-1.3.23 or newer and
Apache-SSL to version 1.3.22+1.46 or newer as soon as possible.

Oracle 8 and 9 systems are vulnerable to a remote attack that can be
used to execute any PL/SQL function in any library without a user ID
or password.

If PL/SQL functionality is not needed, users should consider disabling
it by removing the proper entries from tnsnames.ora and listener.ora.
It is also recommended that the Oracle server be placed behind a
firewall, configured to not allow unauthorized connections to the
listener, and that users watch Oracle for an update for this problem.

The netfilter system in Linux kernels version 2.4.14 and later have a
IRC DCC connection tracking helper module that helps with outgoing IRC
DCC send requests. There is a problem in this module that can be
exploited, under some circumstances, by a remote attacker to make a
single connection from the outside network to the port specified in
the IRC DCC request on any host inside the protected network.

It is recommended that all affected users upgrade their Linux kernel
to version 2.4.18-pre9 or newer or apply the available patches.

BRU is a system backup and restoration application designed to work
with any backup device or file system. Some of the shell scripts
provided with BRU are vulnerable to temporary-file symbolic-link race
condition attacks that can be used by a local attacker to overwrite
arbitrary files on the file system with the permissions of the user
executing BRU (in many cases, root).

Xoops, a open source Web-based portal written in PHP with a MySQL
back end, is vulnerable to a cross-site scripting attack in the Private
Message System that can be used to execute arbitrary JavaScript in
other users' browsers, and a vulnerability that can be used to execute
arbitrary SQL commands.

xtell, a network-enabled tell client, is vulnerable to buffer
overflows and other problems that may be exploitable by a remote
attacker to execute arbitrary code with the permissions of the user running xtell. A script has been released that automates a
remote exploit against xtell. It has been reported that xtell is
vulnerable through version 2.6.1.

It is recommended that users upgrade xtell to version 2.7 or disable it
as soon as possible.